This was published 3 months ago
Opinion
Medibank on the hook for trillions but there’s more at stake than money
Elizabeth Knight
Business columnistThe $21.5 trillion (yes trillion) in fines that Medibank Private could potentially pay as a result of legal action taken by Australia’s privacy watchdog is a screamer of a headline, and easy to relegate to the realms of fantasy.
But it does serve as an uncomfortable reminder to corporate Australia that it’s not just the cyber criminals that are now on the hook.
The privacy watchdog has sued Medibank over its cyber hack.Credit: Steven Siewert
Reliving the cyberattack nightmare, perpetrated by some particularly unsavory Russian criminals, is the last thing Medibank or its shareholders want, but having a court adjudicate on Medibank’s culpability sends a crucial message to Australian companies that believe (or at least claim) that they are doing a good job keeping their customers’ data safe.
Medibank was convinced it was doing a good job, as was Optus, which suffered a major cyberattack in 2022 and is now being pursued in the Federal Court by a different regulator, the Australian Communications and Media Authority (ACMA).
In Medibank’s case, the heat is being applied by Australia’s privacy regulator – the relatively unknown Office of the Australian Information Commissioner (OAIC), which has instigated civil proceedings in the Federal Court against the insurer for failing to protect the privacy of 9.7 million Australians whose details were stolen in the 2022 cyberattack.
If Medibank ends up losing it will pay a fraction of the trillions it is technically on the hook for, and there is a chance it may not lose at all, given the insurer’s intentions to defend the proceedings. Medibank is already the subject of four class actions relating to the cyberattack, so it will remain a litigant for quite a while yet.
The OAIC is a regulator that can’t just impose fines by itself for what it determines is a breach of the Privacy Act, it needs to take action via the courts. Plus any action it takes must reach particular thresholds related to the seriousness or repetition of any breach.
The Medibank breach certainly met the seriousness threshold. Millions of its current and former customers had their sensitive details published on the dark web resulting in harm for many, especially those whose substance abuse problems and mental health issues were outed on the dark web.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” the OAIC’s acting commissioner said on Wednesday.
But how the court will treat the alleged contravention of the Privacy Act is difficult to predict. The OAIC has taken similar action only twice previously and both cases are still grinding their way through the courts.
So in terms of precedent, there is none.
The OAIC’s first action, taken in 2020, was against Facebook’s owner Meta. The watchdog alleged that, “the personal information of Australian Facebook users was given to the ‘This is Your Digital Life’ app for a purpose other than the purpose for which the information was collected”.
“The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties,” the OAIC added.
The regulator is also running a Federal Court case against Australian Clinical Labs, in which it claims the company (also the victim of a data breach) failed to take reasonable steps to protect patients’ health information.
One curious element to Medibank’s cyber headaches was that the optics didn’t play out too badly for the insurer at the time. There was lots of noise and the share price tumbled but unlike Optus, many viewed Medibank as a victim rather than a company that should be blamed for lax diligence around protection data.
Membership numbers recovered as did profit. But in the most recent half-year results, Medibank said it expected non-recurring cybercrime costs to be between $30 million and $35 million in 2024. These costs are related to further IT security, legal and other costs related to regulatory investigations and litigation.
So, the ghosts of the cyberattack aren’t going to go away for Medibank anytime soon, but at least shareholders aren’t expecting the worst when it comes to the civil action lodged by the privacy watchdog.
Medibank shares slipped about 1.1 per cent on the news, shredding roughly $100 million off the insurer’s market value. A pretty tame reaction to the prospect of a hefty fine and potentially a loss of face for Medibank’s management.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.